1,安装bind
yum -y install bind* caching-nameserver
可以使用 rpm -qa | grep bind 查看bind是否已经安装
2,配置
配置文件/etc/named.conf
// // named.conf // // Provided by Red Hat bind package to configure the ISC BIND named(8) DNS // server as a caching only nameserver (as a localhost DNS resolver only). // // See /usr/share/doc/bind*/sample/ for example named configuration files. // options { # listen-on port 53 { 127.0.0.1; }; // 只监听本地的53号端口 listen-on port 53 { any; }; // 监听所有的53号端口,此处可以根据需要设置需要监听的IP # listen-on-v6 port 53 { ::1; }; // for IPv6 directory "/var/named"; dump-file "/var/named/data/cache_dump.db"; statistics-file "/var/named/data/named_stats.txt"; memstatistics-file "/var/named/data/named_mem_stats.txt"; # forwarders {202.38.64.1;202.39.64.7;}; // 设置转发(如果本DNS服务器无法解析,就转发其他DNS服务器) # allow-query { localhost; }; // 只允许本地的查询 allow-query { any; }; // 允许所有的查询 recursion yes; dnssec-enable yes; dnssec-validation yes; dnssec-lookaside auto; /* Path to ISC DLV key */ bindkeys-file "/etc/named.iscdlv.key"; managed-keys-directory "/var/named/dynamic"; }; logging { channel default_debug { file "data/named.run"; severity dynamic; }; }; zone "." IN { type hint; file "named.ca"; // 根DNS服务器的列表 }; include "/etc/named.rfc1912.zones"; include "/etc/named.root.key";
named.ca这个文件在安装bind会自动生成,也可以在 ftp://ftp.internic.net/domain 上下载 named.root文件,并修改文件名为named.ca
使用自带的name.ca和使用name.root,对同一个域名的查询得到结果不一样,但似乎都是对的。
在/etc/name.rfc1912.zones中添加自己的域名测试
// and http://www.ietf.org/internet-drafts/draft-ietf-dnsop-default-local-zones-02.txt // (c)2007 R W Franks // // See /usr/share/doc/bind*/sample/ for example named configuration files. // zone "localhost.localdomain" IN { type master; file "named.localhost"; allow-update { none; }; }; zone "localhost" IN { type master; file "named.localhost"; allow-update { none; }; };
// for IPv6 , you can comment it if you want . zone "1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa" IN { type master; file "named.loopback"; allow-update { none; }; }; zone "1.0.0.127.in-addr.arpa" IN { type master; file "named.loopback"; allow-update { none; }; }; zone "0.in-addr.arpa" IN { type master; file "named.empty"; allow-update { none; }; }; zone "test.com" IN { type master; file "test.com.zone"; allow-update { none; }; }; zone "2.168.192.in-addr.arpa" IN { type master; file "2.168.192.in-addr.local"; allow-update { none; }; };
然后在/var/named目录下创建test.com.zone和2.168.192.in-addr.local两个文件分别作正向查询和反向查询。这两个文件的用户组和改目录下的named.localhost等文件一样(一般必须是root:named),否则会出现意想不到的错误。
test.com.zone
$TTL 86400 @ IN SOA tom jerry ( ; tom & jerry 这两个参数本应是主机名和邮件地址,这里随便填写,没有问题 42 ; serial (d. adams) 3H ; refresh 15M ; retry 1W ; expiry 1D ) ; minimum IN NS ns.test.com. ; notice : don't forget the dot in the end IN MX 10 mail.test.com. www IN A 192.168.2.80 www IN A 192.168.2.70 ns IN A 192.168.2.90 mail IN A 192.168.2.80 ftp IN CNAME www
1)注意域名后面的点,表示是一个FQDN(Full Qualified Domain Name),详见TCP/IP详解:卷1。如果不加就会出错,系统认为是不完整的,会自动补上后缀,报如下错误:
zone test.com/IN: NS 'ns.test.com.test.com' has no address records (A or AAAA)
2)ns.test.com.不能写成test.com.,受某些博客误导,没有写全,报如下错误:
zone test.com/IN: NS 'test.com' has no address records (A or AAAA)
逆向解析文件2.168.192.in-addr.local的写法与test.com.zone类似
$TTL 86400 @ IN SOA ns.test.com. root ( 1997022700 ; Serial 28800 ; Refresh 14400 ; Retry 3600000 ; Expire 86400 ) ; Minimum IN NS ns.test.com. 80 IN PTR www.test.com. 70 IN PTR www.test.com. 80 IN PTR mail.test.com. 90 IN PTR ns.test.com.
配置完成后, /etc/sysconfig/network-scripts/ifcfg-eth0文件中对主机的域名服务器地址修改:
DNS1=127.0.0.1 //此处如果配置成内网IP,则不能对自己定义的test.com等进行解析,不知为何 DOMAIN=test.com //默认搜索域,如果要查找的域名不是完整的域名,则将默认搜索域加到待查名之后,如ftp变成ftp.test.com
尝试运行如下:
[root@Ivy-centos-32 ~]# /etc/init.d/named restart Stopping named: [ OK ] Starting named: [ OK ] [root@Ivy-centos-32 ~]# nslookup www.test.com Server: 127.0.0.1 Address: 127.0.0.1#53 Name: www.test.com Address: 192.168.2.80 Name: www.test.com Address: 192.168.2.70 [root@Ivy-centos-32 ~]# nslookup ftp.test.com Server: 127.0.0.1 Address: 127.0.0.1#53 ftp.test.com canonical name = www.test.com. Name: www.test.com Address: 192.168.2.70 Name: www.test.com Address: 192.168.2.80 [root@Ivy-centos-32 ~]# nslookup 192.168.2.80 Server: 127.0.0.1 Address: 127.0.0.1#53 80.2.168.192.in-addr.arpa name = www.test.com. 80.2.168.192.in-addr.arpa name = mail.test.com. [root@Ivy-centos-32 ~]# nslookup www.sina.com Server: 127.0.0.1 Address: 127.0.0.1#53 Non-authoritative answer: www.sina.com canonical name = us.sina.com.cn. us.sina.com.cn canonical name = news.sina.com.cn. news.sina.com.cn canonical name = jupiter.sina.com.cn. jupiter.sina.com.cn canonical name = auriga.sina.com.cn. Name: auriga.sina.com.cn Address: 61.172.201.195 Name: auriga.sina.com.cn Address: 61.172.201.194
将子网内的其他机器的域名服务器地址改成该域名服务器的子网IP地址(例如:192.168.2.90),即可使用Ivy-centos-32为其完成域名解析服务。如果该域名服务器不能为子网提供域名解析服务出现如下错误:
[root@lab-webserver ~]# nslookup www.baidu.com ;; connection timed out; trying next origin ;; connection timed out; no servers could be reached
检查/etc/named.conf中对listen-on和allow-query两项的配置是否正确,确认无误后,如果还是不行,则可能是域名服务器的防火墙的问题。
在/var/named目录下创建和修改的文件会被复制到 /var/named/chroot/var/named目录下,可能和chroot有关系,有待研究.
[root@Ivy-centos-32 named]# pwd /var/named [root@Ivy-centos-32 named]# ls -p 2.168.192.in-addr.local chroot/ data/ dynamic/ named.ca named.ca.bk named.empty named.localhost named.loopback named.root slaves/ test.com.zone
运行named后,/var/named/chroot/var/named目录下的内如如下:
[root@Ivy-centos-32 named]# pwd /var/named/chroot/var/named [root@Ivy-centos-32 named]# ls -p 2.168.192.in-addr.local chroot/ data/ dynamic/ named.ca named.ca.bk named.empty named.localhost named.loopback named.root slaves/ test.com.zone
3,bind view
验证bind view 的智能DNS解析,就是将不同IP地址段发来的查询响应到不同的DNS解析 。
这里我们假设127.0.0.1和192.168.2.80是Telecom的IP,192.168.2.245是Unicom的IP,其他的IP统一为Others所有,我们在Telecom.test.com.zone、Unicom.test.com.zone、Others.test.com.zone三个文件中对www.test.com做不同的地址解析:分别是Telecom-88.88.88.88Unicom-99.99.99.99Others-77.77.77.77,配置的方法和上文相同。
修改/etc/name.conf,因为在使用view时,所有的zone都必须定义在view语句里面,所以做如下的添加和修改:
acl Telecomacl { 127.0.0.1; 192.168.2.80; }; acl Unicomacl { 192.168.2.245; }; acl Othersacl { any; }; view "Telecom" { match-clients {"Telecomacl";}; zone "test.com" IN { type master; file "Telecom.test.com.zone"; }; zone "." IN { type hint; file "named.ca"; }; include "/etc/named.rfc1912.zones"; }; view "Unicom" { match-clients {"Unicomacl";}; zone "test.com" IN { type master; file "Unicom.test.com.zone"; }; zone "." IN { type hint; file "named.ca"; }; include "/etc/named.rfc1912.zones"; }; view "Others" { match-clients {"Othersacl";}; zone "test.com" IN { type master; file "Others.test.com.zone"; }; zone "." IN { type hint; file "named.ca"; }; include "/etc/named.rfc1912.zones"; };
实验结果如下:
server-80
[root@80-server ~]# nslookup www.test.com Server: 192.168.2.90 Address: 192.168.2.90#53 Name: www.test.com Address: 88.88.88.88 Name: www.test.com Address: 192.168.2.70
server-245
[root@245-server ~]# nslookup www.test.com Server: 192.168.2.90 Address: 192.168.2.90#53 Name: www.test.com Address: 99.99.99.99 Name: www.test.com Address: 192.168.2.70
server-70
[root@70-server ~]# nslookup www.test.com Server: 192.168.2.90 Address: 192.168.2.90#53 Name: www.test.com Address: 77.77.77.77 Name: www.test.com Address: 192.168.2.70
4,清除DNS缓存
清除BIND服务器上的DNS缓存,可以使用如下命令:
[root@Ivy-centos-32 ~]# rndc flush
参考文献:
http://hi.baidu.com/yum_install/item/edd01b306402bbd56d15e9a4(主要参考)
http://mark.koli.ch/2010/03/howto-setting-up-your-own-local-dns-server.html
http://jingyan.baidu.com/article/fcb5aff7e3cc75edaa4a71e4.html
http://jingyan.baidu.com/article/67508eb4ee1ed59cca1ce416.html
http://www.linuxquestions.org/questions/linux-networking-3/dns-error-%3B%3B-connection-timed-out-%3B-no-servers-could-be-reached-760598/ ( Connection timed out ; no servers could be reached)
http://space.itpub.net/23071790/viewspace-714483(参数解释)
http://man.lupaworld.com/content/manage/DNS-bind.html(参数解释)
http://yuanbin.blog.51cto.com/363003/108572 (DNS配置详解)
http://yuanbin.blog.51cto.com/363003/108578
http://yuanbin.blog.51cto.com/363003/108583
http://www.mike.org.cn/articles/how-to-clear-dns-cache/(如何清空DNS缓存)
http://dl528888.blog.51cto.com/2382721/1249311(master & slave)
http://dl528888.blog.51cto.com/2382721/1279643(bind view 智能DNS)
http://os.51cto.com/art/201111/305114.htm(bind-dlz 智能DNS)